Chapter 3Attacks against ad hoc networks

While a wireless network is more versatile than a wired one, it is also more
vulnerable to attacks. This is due to the very nature of radio transmissions, which
are made on the air.

On a wired network, an intruder would need to break into a machine
of the network or to physically wiretap a cable. On a wireless network,
an adversary is able to eavesdrop on all messages within the emission
area, by operating in promiscuous mode and using a packet sniffer (and
possibly a directional antenna). There is a wide range of tools available
to detect, monitor and penetrate an IEEE 802.11 network, such as
NetStumbler1,
AiroPeek2,
Kismet3,
AirSnort4, and
Ethereal5.
Hence, by simply being within radio range, the intruder has access to the network
and can easily intercept transmitted data without the sender even knowing (for
instance, imagine a laptop computer in a vehicle parked on the street
eavesdropping on the communications inside a nearby building). As the intruder
is potentially invisible, it can also record, alter, and then retransmit packets as
they are emitted by the sender, even pretending that packets come from a
legitimate party.

Furthermore, due to the limitations of the medium, communications can easily
be perturbed; the intruder can perform this attack by keeping the medium
busy sending its own messages, or just by jamming communications with
noise.

3.1 Attacks against the routing layer in MANETs

We now focus on attacks against the routing protocol in ad hoc networks. These
attacks may have the aim of modifying the routing protocol so that traffic flows
through a specific node controlled by the attacker. An attack may also
aim at impeding the formation of the network, making legitimate nodes
store incorrect routes, and more generally at perturbing the network
topology.

Attacks at the routing level can be classified into two main
categories: incorrect traffic generation and incorrect traffic relaying
6.
Sometimes these coincide with node misbehaviors that are not due to malice, e.g.
node malfunction, battery exhaustion, or radio interference.

3.1.1 Incorrect traffic generation

This category includes attacks which consist in sending false control messages: i.e.
control messages sent on behalf of another node (identity spoofing), or control
messages which contain incorrect or outdated routing information. The network
may exhibit Byzantine [94] behavior, i.e. conflicting information in different
parts of the network. The consequences of this attack are degradation
in network communications, unreachable nodes, and possible routing
loops.

Cache poisoning

As an instance of incorrect traffic generation in a distance vector routing protocol,
an attacker node can advertise a zero metric for all destinations, which will
cause all the nodes around it to route packets toward the attacker node.
Then, by dropping these packets (blackhole attack, see Section 3.1.2),
the attacker causes a large part of the communications exchanged in
the network to be lost. In a link state protocol, the attacker can falsely
declare that it has links with distant nodes. This causes incorrect routes to
be stored in the routing table of legitimate nodes, also known as cachepoisoning.

Message bombing and other DoS attacks

The attacker can also try to perform Denial of Service on the network layer by
saturating the medium with a storm of broadcast messages (message bombing),
reducing nodes’ goodput and possibly impeding nodes from communicating. (This
is not possible under hybrid routing protocols, where nodes cannot issue
broadcast communications [154].) The attacker can even send invalid messages
just to keep nodes busy, wasting their CPU cycles and draining their battery
power. In this case the attack is not aimed at modifying the network topology in
a certain fashion, but rather at generally perturbing the network functions and
communications.

On the transport layer, Kuzmanovic and Knightly [92] demonstrate the
effectiveness of a low-rate DoS attack performed by sending short bursts repeated
with a slow timescale frequency (shrew attack). In the case of severe network
congestion, TCP operates on timescales of Retransmission Time Out (RTO).
The throughput (composed of legitimate traffic as well as DoS traffic)
triggers the TCP congestion control protocol, so the TCP flow enters a
timeout and awaits a RTO slot before trying to send another packet. If
the attack period is chosen to approximate the RTO of the TCP flow,
the flow repeatedly tries to exit timeout state and fails, producing zero
throughput. If the attack period is chosen to be slightly greater than the
RTO, the throughput is severely reduced. This attack is effective because
the sending rate of DoS traffic is too low to be detected by anti-DoS
countermeasures.

Another DoS performed on the transport layer is the subtle jellyfish attack by
Aad et al. [1], that deserves particular attention. Its authors point out that,
remarkably, it does not disobey the rules of the routing protocol, even if we may
argue that, strictly speaking, this is not always the case. But is indeed true that
the jellyfish attack is difficult to distinguish from congestion and packet losses
that occur naturally in a network, and therefore is hard and resource-consuming
to detect.

This DoS attack can be carried out by employing several mechanisms. One of
the mechanisms of the jellyfish attack consists in a node delivering all received
packets, but in scrambled order instead of the canonical FIFO order.
Duplicate ACKs derive from this malicious behavior, which produces zero
goodput although all sent packets are received. This attack cannot be
successfully opposed by the actual TCP packet reordering techniques,
because such techniques are effective on sporadic and non-systematic
reordering.

The second mechanism is the same as that used in the shrew attack, and
involves performing a selective blackhole attack by dropping all packets for a very
short duration at every RTO. The flow enters timeout at the first packet loss
caused by the jellyfish attack, then periodically re-enters the timeout state at
every elapsed RTO.

The third mechanism consists in holding a received packet for a random time
before processing it, increasing delay variance. This causes TCP traffic to be
sent in bursts, therefore increasing the odds of collisions and losses; it
increases the RTO value excessively; and it causes an incorrect estimation of
the available bandwidth in congestion control protocols based on packet
delays.

DoS attacks can also be carried over on the physical layer (e.g. jamming or
radio interference); in this case, they can be dealt with by using physical
techniques e.g. spread spectrum modulation [126].

In sum, Denial of Service can be accomplished over different layers and in
several ways, and is quite difficult to counteract, even on a wired medium. The
topics regarding a full protection against DoS attacks are beyond the scope of this
thesis, and therefore are not discussed in detail.

3.1.2 Incorrect traffic relaying

Network communications coming from legitimate, protocol-compliant nodes may
be polluted by misbehaving nodes.

Blackhole attack

An attacker can drop received routing messages, instead of relaying them as the
protocol requires, in order to reduce the quantity of routing information available
to the other nodes. This is called blackhole attack by Hu et al. [66], and is a
“passive” and a simple way to perform a Denial of Service. The attack can be
done selectively (drop routing packets for a specified destination, a packet every n
packets, a packet every t seconds, or a randomly selected portion of the
packets) or in bulk (drop all packets), and may have the effect of making
the destination node unreachable or downgrade communications in the
network.7

Message tampering

An attacker can also modify the messages originating from other nodes before
relaying them, if a mechanism for message integrity (i.e. a digest of the payload)
is not utilized.

Replay attack

As topology changes, old control messages, though valid in the past, describe a
topology configuration that no longer exists. An attacker can perform a replay
attack by recording old valid control messages and re-sending them, to make
other nodes update their routing tables with stale routes. This attack is successful
even if control messages bear a digest or a digital signature that does not include
a timestamp.

Wormhole attack

The wormhole attack [67] is quite severe, and consists in recording traffic from
one region of the network and replaying it in a different region. It is carried out
by an intruder node X located within transmission range of legitimate nodes A
and B, where A and B are not themselves within transmission range of each
other. Intruder node X merely tunnels control traffic between A and B (and vice
versa), without the modification presumed by the routing protocol – e.g. without
stating its address as the source in the packets header – so that X is
virtually invisible. This results in an extraneous inexistent A - B link
which in fact is controlled by X, as shown in Figure 3.4. Node X can
afterwards drop tunneled packets or break this link at will. Two intruder nodes
X and X′, connected by a wireless or wired private medium, can also
collude to create a longer (and more harmful) wormhole, as shown in
Figure 3.5.

The severity of the wormhole attack comes from the fact that it is difficult to
detect, and is effective even in a network where confidentiality, integrity,
authentication, and non-repudiation (via encryption, digesting, and digital
signature) are preserved. Furthermore, on a distance vector routing protocol,
wormholes are very likely to be chosen as routes because they provide a shorter
path – albeit compromised – to the destination. Marshall [103] points out a
similar attack, called the invisible node attack by Carter and Yasinsac [24],
against the Secure Routing Protocol [116].

Rushing attack

An offensive that can be carried out against on-demand routing protocols is the
rushing attack [68]. Typically, on-demand routing protocols state that nodes must
forward only the first received Route Request from each route discovery; all
further received Route requests are ignored. This is done in order to reduce
cluttering. The attack consists, for the adversary, in quickly forwarding its Route
Request messages when a route discovery is initiated. If the Route Requests that
first reach the target’s neighbors are those of the attacker, then any discovered
route includes the attacker.

3.2 Attacks against the OLSR protocol

We now discuss various security risks in OLSR [3, 30]. The aim is not to
emphasize flaws in OLSR, as it did not include security measures in its design,
like several other routing protocols. While these vulnerabilities are specific to
OLSR, they can be seen as instances of what other link state routing protocols,
such as OSPF, are subject to.

This section illustrates the principal hazards. More ingenious attacks may be
carried over against almost any operating function of the protocol.

It is worth noting that a node can force its election as an MPR by setting the
Willingness field to the WILL_ALWAYS constant in its HELLOs. According to
the protocol, its neighbors will always select it as an MPR. Using this mechanism,
a compromised node can easily gain, as an MPR, a privileged position inside the
network. It can then exploit its importance to carry out DoS attacks and such
like.

Note also that an attacker performing identity spoofing or message replay
needs to change the Message Sequence Number field of the spoofed or replayed
message. Otherwise, nodes that already have received a message with the
same originator and MSN (according to their Duplicate Set) will drop
the malicious message. Furthermore, accepting the malicious message
causes message loss when a legitimate message having the same originator
and MSN is received by the victim nodes, and dropped according to the
protocol.

3.2.1 Incorrect traffic generation

One way in which a node can misbehave is by generating control messages in a
way that is not according to the protocol.

Incorrect HELLO message generation

A misbehaving node X may send HELLO messages with a spoofed originator
address set to that of node C (Figure 3.1). Subsequently, nodes A and B may
announce reachability to C through their HELLO and TC messages. Furthermore,
node X chooses MPRs from among its neighbors, signaling this selection while
pretending to have the identity of node C. Therefore, the chosen MPRs
will advertise in their TC messages that they provide a last hop to C.
Conflicting routes to node C, with possible connectivity loss, may result from
this.

Figure 3.1:

Node X sends HELLO messages pretending to be C.

Under identity spoofing, another kind of attack is also possible. A
misbehaving node X can set the Willingness field to WILL_NEVER on its
HELLO messages sent on behalf of A. According to the protocol, nodes receiving
these messages will never choose A as an MPR, which may result in a
connectivity loss for some neighbors of A.

We call link spoofing the signalization of an incorrect set of neighbors in a
control message, and more precisely the signalization of neighbor relationship
with non-neighbor nodes. A misbehaving node X may perform link spoofing in its
HELLO messages advertising a link with non-neighbor node A, as in Figure 3.2.
This will result in C, and the others neighbors of X, storing an incorrect 2-hop
neighborhood and therefore selecting a wrong MPR set. In fact, node C will
probably select {X,D} as its MPR set, instead of the correct MPR set {X,B,D},
because the first set is smaller. As a consequence, messages originating
from E and relayed through the MPR mechanism will not reach node
A.

Figure 3.2:

Node X sends HELLO messages advertising a fake link with A.

Node X can also misbehave by signaling an incomplete set of neighbors.
Depending on their links with other nodes, the ignored neighbors might
experience breakdown in connectivity with the rest of the network.

Incorrect TC message generation

TC messages with a spoofed originator address cause incorrect neighbor
relationship to be advertised in the network. For instance, node X sends a TC
message on behalf of node C, advertising A as a neighbor (Figure 3.3). Node D,
upon reception of the TC message, will falsely conclude that C and A
are neighbors. For this attack to be successful, the TC message must
bear an ANSN (Advertised Neighbor Sequence Number) greater than the
highest ANSN value referenced to C, as contained in any tuple of D’s
Topology Set; otherwise D will discard the TC message, according to the
protocol.

Figure 3.3:

Node X sends TC messages pretending to be C.

TC messages with spoofed links have the same effect, and can severely perturb
the network topology as stored by legitimate nodes.

Node X can also simply generate HELLOs, perhaps be selected as an MPR by
its neighbors, but refuse to generate TC messages or generate TCs signaling an
incomplete set of nodes. The OLSR specifications require that X includes at least
its MPR selectors in its TCs; if this requirement is not fulfilled, some nodes may
not have their link state information disseminated throughout the network and be
disconnected.

Node X, behaving incorrectly, can also send TC messages without being an
MPR. The protocol specifications state that only MPRs generate TCs; however,
there is no way of detecting whether the originator of a TC message is an MPR of
some node or not.

Incorrect MID/HNA message generation

A misbehaving node X can generate wrong MID/HNA messages, declaring
interfaces that are not their own (link spoofing), or falsifying the originator
address of the message (identity spoofing) so that it apparently declares interfaces
that are not their own. In this case, nodes will have problems reaching these
interfaces.

ANSN attack

The misbehaving node may listen to a TC message from node A and record the
ANSN of the message; then it sends a TC with a spoofed originator address of
node A, and an ANSN much greater than the value recorded. According to the
protocol specifications, nodes will ignore further TC messages from A, because
these messages bear a smaller ANSN as that recorded in the Topology Set, and
therefore such messages are considered as arrived out of order. We call this an
ANSN attack. If no further action is taken by the attacker, the ANSN attack is
effective until the ANSN of node A reaches the value of the ANSN in the spoofed
TC.

This attack can be spotted as the spoofed TC bears an ANSN which is much
higher than that of the latest genuine TC message received from A (the
higher the difference between the two ANSNs, the longer TCs from A
are ignored). However, the misbehaving node may perform this attack
repeatedly, by forging each time spoofed TC messages with a slightly greater
ANSN.

3.2.2 Incorrect traffic relaying

If control messages are not properly relayed, network malfunctions are
possible.

Blackhole attack

If a node fails to relay TC messages, the network may experience connectivity
problems. In networks where no redundancy exists (e.g. in a strip), connectivity
loss will surely result, while other topologies may provide redundant connectivity.

If MID and HNA messages are not properly resent, additional information
regarding multiple nodes interfaces and connections with external networks may
be lost.

Replay attack

As previously said, replaying old control messages in the network causes nodes to
record stale topology information. A control message cannot be replayed “as is” or
it will not be accepted by nodes that already received it, because of the MSN.
Therefore the attacker needs to increase the MSN of the message, causing possible
message loss. For a TC, the attacker must increase the ANSN too, indirectly
causing an ANSN attack. Replayed HELLOs may have a lesser impact, because
link state advertised in HELLOs must be given in a well-defined order (see
Section 9.1).

Wormhole attack

An extraneous A - B link can be artificially created by an intruder node
X by wormholing control messages between A and B (Figure 3.4). A
longer wormhole can also be created by two colluding intruders X and X′
(Figure 3.5).

Figure 3.4:

A wormhole created by node X.

Figure 3.5:

A longer wormhole created by two colluding nodes X and X′.

To successfully exploit the wormhole, the attacker must wait until A and B
have exchanged sufficient HELLO messages (through the wormhole) to establish a
symmetric link. Until that moment, other tunneled control messages would be
rejected, because the OLSR protocol specifies that TC/MID/HNA messages
should not be processed if the relayer node (the last hop) is not a symmetric
neighbor. However, once created, the A - B link is at the mercy of the
attacker.

MPR attack

The “first transmit rule”, described in the OLSR specifications, states that a node
receiving a message in MPR flooding checks if the sender is its MPR selector. If
so, the node retransmits the message. If the sender is not an MPR selector of the
node, the latter will never retransmit the message. While this rule is established
for performance reasons (to avoid messages traveling on large loops in dense
networks) it could be exploited to impede the correct relaying of control
messages.

We call the related misbehavior an MPR attack. Consider the following
scenario (Figure 3.6): node A sends a message to its neighbors B and X,
where B is an MPR of A, X is not an MPR, and C is an MPR of B. The
misbehaving node X does not select its MPR set properly, and retransmits the
message (even if it is not supposed to) which is received by C. Node B
retransmits the message to C. The crucial point is that C, even being an
MPR, will not relay the message because C has already received it from
X.

Figure 3.6:

Node X performs an MPR attack.

3.3 Summary of routing attacks

All the depicted attacks are possible at a theoretical level; most of them are very
easy to implement and require even less energy and effort than running a
protocol-compliant node. Table 3.1 summarizes the effect of each attack on each
particular function of an OLSR network.

Concerning the realism of these attacks (real attacks that have been observed
against existing networks), there is no or very little data available. This is
probably due to the fact that ad hoc networks are in practice still used in limited
environments such as warfare operations, search and rescue missions, and research
centers; while the mainstream architecture for a wireless network is BSS, with
“hot spots” offered by various ISPs in airports, train stations, museums,
restaurants, and other public places.

It is indeed true that some offensive behavior (e.g. DoS) can also successfully
be carried out at the physical or transport layer. However, in our opinion, it is
necessary to foresee these routing attacks, otherwise when these attacks are
carried out (and certainly they will be) we will be unable to recognize them as
such.